Uni degrees have nothing to do with cybersecurity innovation: Malwarebytes founder

Relying on universities to fill the cybersecurity skills gap will leave companies struggling to fill out their teams, the founder of a global endpoint-security company has warned as he considers new strategies to fill out staff for the company’s new Australian operation.

Although many in business have habitually turned to universities to design cybersecurity courses and deliver trained students ready for the workplace, Malwarebytes founder and CEO Marcin Kleczynski told CSO Australia that systemic weaknesses in academia meant that businesses needed to take a much broader approach to recruitment.

“We don’t hire the traditional [university] degrees or resumes” to fill the company’s R&D laboratories, he said. “A lot of people come by reputation: we look at these open sources projects, look at blog posts, and talk to researchers that are doing this altruistically and want to make a name for themselves. They are already driving innovation for free – and they just don’t have a vehicle to do so.”

Universities, by contrast, had failed to develop consistent training in cybersecurity and often told him they couldn’t even source appropriate lecturers for such courses – because all qualified candidates had opted for more-lucrative careers in private enterprise.

“If I only hired people with degrees in cybersecurity I don’t think we would have the staff,” Kleczynski said. “Many universities are keeping their heads in the sand, and not doing programs due to a lack of funding or professors. But how can they possibly churn out candidates that are ready for the workforce if there are no security programs?”

By one estimate, there will be 3.5m unfilled cybersecurity jobs by 2021. The lack of formal cybersecurity skills has dogged the Australian industry, with hands-on certifications pre-empting university training, changes to 457 visa rules further complicating the matter and many CISOs turning to automation to make up for the paucity of skilled engineers.

The deficiency of university-trained cybersecurity experts has become bad enough that IBM recently released a list highlighting five “new collar” cybersecurity careers that don’t require a university degree. These include ethical hackers, threat monitoring analysts, cyber help desk analysts, technical writers, and security awareness trainers.

The need to adjust skills expectations has reinforced the value informal process that Kleczynski has taken since founding Malwarebytes in his parents’ garage in 2008. Just as his remediation-focused technology “was unlike any security tool built,” he said, he has built a corporate culture focused on results and innovation.

“I like to fail fast,” he explained, “and while I wouldn’t say we have perfected it, we have done a really good job at it. We’re trying to match the skill sets of these hackers: they’re not really criminals in the rudimentary sense, but they are people who are fascinated with the idea of getting into systems that are air-tight.”

Such people tend to make their own footprints online, but that hasn’t turned Kleczynski off the idea of working with universities to help them develop more industry-ready skills, more quickly. Just months after the company established its Australian presence, he is considering partnerships with the university sector to help harness “untapped potential” in this country.

“We haven’t really been able to grow here as quickly as I would like,” he said, noting that he was eager to grow the company’s six-strong local team and would consider suitable candidates no matter where they are based.

“The people we hire are passionate and knowledgeable about security,” he said. “We have technical people talking with customers on a daily basis, and their ability to feed back issues into the broader team, and R&D team, is unique from what I’ve seen so far. The more markets we’re in, the better outputs we can get.”

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.